Sauna — HackTheBox

Sauna is an easy-rated windows machine from created by egotisticalSW. Initial foothold focuses on getting a user hash that can be cracked to get user access. Discovering a password in the registry keys allows me to take over another user and privilege escalation is done by performing a dump of the admin hashes using mimikatz.

Reconnaissance

Nmap shows common ports with an Active Directory service(smb,rpc,ldap,kerberos) as well as port 80(http).

Http service shows a page of a banking institution.

Hovering over ‘Dropdown’ and clicking Our Team will give us possible users that we can compromise.

I listed the users on a file and attempted to grab their kerberos hashes with impacket’s GetNPUsers.

Gaining User Access

I was able to grab fsmith’s hash and cracked it using john.

Command: GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile users.txt -dc-ip 10.10.10.175 -outputfile hash.txt

Within a few seconds, I found fsmith’s password which is ‘Thestrokes23’.

I logged in using the found credentials with evil-winrm and grabbed the user flag.

Lateral Movement

I discovered that there is another user in the system ‘svc_loanmgr’.

After more enumeration, I found a password in one of the registry keys.

I tried using it to login to svc_loanmgr and I got in successfully.

Privilege Escalation

From here, I uploaded mimikatz and attempted to dump the admin’s hashes which was successful.

I used the hash to perform a pass the hash technique in order to login to the system as Administrator and grabbed the root flag.

That is it for Sauna. Thank you for reading and have a good day!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store